b'Department of Health and Human Services\n             OFFICE OF\n        INSPECTOR GENERAL\n\n\n\n\nHHS ADOPTED, ADMINISTERED,\n AND GENERALLY FOLLOWED\n  CLASSIFIED INFORMATION\n         POLICIES\n\n\n\n\n                    Daniel R. Levinson\n                     Inspector General\n\n                       May 2013\n                     OEI-07-12-00400\n\x0cEXECUTIVE SUMMARY: HHS ADOPTED, ADMINISTERED, AND\nGENERALLY FOLLOWED CLASSIFIED INFORMATION POLICIES\nOEI-07-12-00400\n\n\nWHY WE DID THIS STUDY\n\nThe Reducing Over-Classification Act of 2010 mandates that the Inspector General of\neach agency of the United States with an officer or employee who is authorized to make\noriginal classification decisions conduct two evaluations. One evaluation is intended to\n(1) assess whether applicable classification policies have been adopted, effectively\nadministered, and followed; and (2) identify practices that may contribute to\nmisclassification of material. This evaluation must be completed by September 30, 2013.\nA second evaluation must be completed by September 30, 2016, and must review\nprogress made pursuant to the results of the first. This report pertains to the first required\nevaluation and assesses whether the Department of Health and Human Services (HHS)\nhas adopted, effectively administered, and followed polices regarding classified national\nsecurity information (NSI). The second objective is addressed in the report entitled\nOriginally and Derivatively Classified Documents Met Most Federal Requirements\n(OEI-07-12-00401).\n\nHOW WE DID THIS STUDY\n\nWe identified and reviewed all of HHS\xe2\x80\x99s classified NSI guidance documents to determine\ntheir scope and content. We compared HHS\xe2\x80\x99s National Security Information Handbook\n(Handbook) to an Executive Order and its implementing Directive to determine whether\nit was consistent with Federal requirements. We interviewed officials responsible for\nensuring that HHS\xe2\x80\x99s classified NSI policies are effectively administered and followed.\nFinally, we surveyed Classification Security Officers responsible for providing guidance\nand oversight to their operating or staff divisions.\n\nWHAT WE FOUND\n\nHHS has adopted policies for classified NSI that are consistent with Federal\nrequirements. HHS used annual status reports and self-inspections to ensure that its\nclassified NSI policies are effectively administered. Finally, HHS provided guidance and\ntraining to individuals who access classified NSI to ensure that classified NSI policies are\nfollowed; however, not all Classification Security Officers received guidance or training.\n\nWHAT WE RECOMMEND\n\nWe recommend that the\xc2\xa0Office of Security and Strategic Information (OSSI), working on\nbehalf of the Office of the Secretary, clarify who is responsible for ensuring that\nClassification Security Officers receive training and ensure that all Classification Security\nOfficers receive guidance and training regarding classified NSI. OSSI concurred with\nboth recommendations and described actions taken to address them.\n\x0cTABLE OF CONTENTS\n\nObjective ......................................................................................................1 \n\nBackground ..................................................................................................1 \n\nMethodology ................................................................................................4 \n\nFindings........................................................................................................6 \n\n           HHS has adopted policies for classified NSI that are consistent\n           with Federal requirements................................................................6 \n\n           HHS used annual status reports and self-inspections to ensure \n\n           that its classified NSI policies are effectively administered ............7 \n\n           HHS provided guidance and training to individuals who access \n\n           classified NSI to ensure that its classified NSI policies are \n\n           followed; however, not all Classification Security Officers \n\n           received guidance and/or training....................................................8 \n\nConclusion and Recommendation .............................................................11\n\n           Agency Comments and Office of Inspector General Response.....12 \n\nAppendix....................................................................................................13 \n\n           A: Definition of Each Classification Level ...................................13 \n\n           B: Agency Comments ...................................................................14 \n\nAcknowledgments......................................................................................16\n\n\x0c                   OBJECTIVE\n                   To assess the extent to which the Department of Health and Human Services\n                   (HHS) has adopted, effectively administered, and followed applicable policies,\n                   procedures, rules, and regulations regarding classified national security\n                   information (NSI).\n\n                   BACKGROUND\n                   Classified NSI is information that requires protection against unauthorized\n                   disclosure and is marked to indicate its classified status.1 The Reducing\n                   Over-Classification Act of 2010 (the Act) mandates that the Inspector General of\n                   each agency of the United States with an officer or employee who is authorized to\n                   make original classification decisions conduct two evaluations. One evaluation is\n                   intended to (1) assess whether applicable classification policies, procedures, rules,\n                   and regulations (policies) have been adopted, effectively administered, and\n                   followed; and (2) identify policies, procedures, rules, and regulations, or\n                   management practices (practices) that may contribute to misclassification of\n                   material.2 This evaluation must be completed by September 30, 2013. A second\n                   evaluation must be completed by September 30, 2016, and must review progress\n                   made pursuant to the results of the first evaluation. This report assesses whether\n                   policies have been adopted, effectively administered, and followed. A companion\n                   report, entitled Originally and Derivatively Classified Documents Met Most\n                   Federal Requirements (OEI-07-12-00401), identifies practices that may\n                   contribute to misclassification of information. Both reports are being published\n                   concurrently.\n                   In addition, the Information Security Oversight Office (ISOO) of the National\n                   Archives and Records Administration requested that Inspectors General review\n                   their agencies\xe2\x80\x99 classified documents to determine whether the information within\n                   them was classified in accordance with Federal requirements.3 For information\n                   regarding ISOO\xe2\x80\x99s request, see Originally and Derivatively Classified Documents\n                   Met Most Federal Requirements (OEI-07-12-00401).\n                   Federal Requirements\n                   Executive Order No. 13526, its implementing Directive,4 and the Act have all\n                   directed Federal agencies to reduce unnecessary information classification or\n                   information classification at a higher and more restrictive level than necessary.\n\n                   1\n                     Executive Order No. 13526, published at 75 Fed. Reg. 707 (Jan. 5, 2010). \n\n                   2\n                     P.L. 111-258, \xc2\xa7 6. \n\n                   3\n                     ISOO is responsible to the President for policy and oversight of the Governmentwide security classification\n\n                   system and the National Industrial Security Program. ISOO receives policy and program guidance from the \n\n                   National Security Council. \n\n                   4\n                     32 CFR pt. 2001. \n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)                       1\n\x0c                   These initiatives are intended to promote information sharing across agencies;\n                   with State, local, and tribal governments; and with the public.5\n                   Executive Order No. 13526. In 2009, the President issued Executive Order\n                   No. 13526, entitled Classified National Security Information.6 This Executive\n                   Order sets forth a uniform system for classifying, safeguarding, and declassifying\n                   NSI and outlines the method of implementation.\n                   Implementing Directive: Classified National Security Information. Pursuant to\n                   Executive Order No. 13526, ISOO issued a Directive7, 8 to provide guidance to\n                   agencies regarding the classification system set forth in the order, including\n                   guidance on:\n                        \xef\x82\xb7\t original classification,9\n                        \xef\x82\xb7\t derivative classification,10\n                        \xef\x82\xb7\t declassification and downgrading,11\n                        \xef\x82\xb7\t the safeguarding of classified NSI,\n                        \xef\x82\xb7\t standards for establishing and maintaining an ongoing agency \n\n                           self-inspection program, and \n\n                        \xef\x82\xb7\t standards for agency security education and training programs.12\n                   Agency Self-Inspections. Each agency must establish and maintain ongoing\n                   self-inspection programs that include reviews of representative samples of the\n                   agency\xe2\x80\x99s original and derivative classification actions.13, 14 The self-inspections\n                   should determine whether the agency has adhered to the requirements for original\n                   classification, derivative classification, declassification, safeguarding, security\n                   violations, security education and training, and management and oversight of the\n\n                   5\n                     S. Rept. No. 111-200, at 1-2 (2010). \n\n                   6\n                     Executive Order No. 13526, published at 75 Fed. Reg. 707 (Jan. 5, 2010). \n\n                   7\n                     The Executive Order requires ISOO to issue directives as necessary to implement the uniform system for \n\n                   classifying, safeguarding, and declassifying NSI. \n\n                   8\n                     32 CFR pt. 2001, published at 75 Fed. Reg. 37254 (June 28, 2010). \n\n                   9\n                     \xe2\x80\x9cOriginal classification\xe2\x80\x9d is defined as an initial determination, in the interest of national security, that \n\n                   information requires protection from unauthorized disclosure. Executive Order No. 13526 \xc2\xa7 6.1(ff). \n\n                   10\n                      \xe2\x80\x9cDerivative classification\xe2\x80\x9d is defined as incorporating, paraphrasing, restating, or generating information \n\n                   that is already classified and marking the material consistent with the classifications that apply to the original\n\n                   information. Individuals who apply derivative classification markings need not have original classification \n\n                   authority, but must indicate their identity in a manner that is immediately apparent for each derivative \n\n                   classification action. Executive Order No. 13526 \xc2\xa7 6.1(o). \n\n                   11\n                      When information no longer meets the standards for classification, it must be declassified or downgraded \n\n                   by the official who authorized the original classification, the original classifier\xe2\x80\x99s current successor, a \n\n                   supervisory official, or an official delegated declassification authority. Executive Order No. 13526 \xc2\xa7 3.1. \n\n                   12\n                      75 Fed. Reg. 37254\xe2\x80\x9337275 (June 28, 2010). \n\n                   13\n                      The ongoing agency self-inspections are separate from the mandated evaluations required to be conducted\n\n                   by Inspectors General. \n\n                   14\n                      32 CFR \xc2\xa7 2001.60; Executive Order No. 13526 \xc2\xa7 5.4.\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)                           2\n\x0c                   Executive Order and the Directive.15 Each year, the agency must report the\n                   findings of its self-inspection program to the Director of ISOO.16\n                   Agency Security Education and Training. Each agency must establish security\n                   education and training programs that ensure that all employees who create,\n                   process, or handle classified information understand the classification,\n                   safeguarding, and declassification policies and procedures.17 These employees\n                   include Classification Security Officers and other individuals who have access to\n                   classified NSI and the appropriate security clearance. Although these employees\n                   need not have original classification authority, they may derivatively classify\n                   information.18 Guidance and training provided to these employees is intended to\n                   reduce instances of overclassification and ensure that practices regarding\n                   classification, safeguarding, and declassification are followed.\n                   HHS\xe2\x80\x99s Classified NSI Program\n                   On January 9, 2012, the Office of Security and Strategic Information (OSSI)\n                   released HHS\xe2\x80\x99s Classified National Security Information Policy. The purpose of\n                   the policy is to ensure that all HHS agencies are aware of and compliant with\n                   Federal requirements related to the sharing, handling, and safeguarding of\n                   classified NSI.19 This policy clarifies the responsibilities of HHS and division\n                   officials tasked with implementing HHS\xe2\x80\x99s NSI program as set forth in Executive\n                   Order No. 13526 and Federal regulations. Specifically, this policy indicates that\n                   the Secretary of HHS (Secretary) serves as the original classification authority\n                   (OCA)20 for HHS and may classify documents up to the \xe2\x80\x9cSecret\xe2\x80\x9d classification\n                   level.21, 22 This policy also charges the OSSI director with developing\n                   departmentwide policy and managing and overseeing the classified NSI\n                   program.23 In addition, the policy requires that each HHS operating division and\n                   staff division designate a Classification Security Officer. The Classification\n                   Security Officer is responsible for providing his or her division with guidance and\n                   oversight on the handling and safeguarding of classified NSI. The Classification\n                   Security Officer is also responsible for conducting an initial review of his or her\n                   division\xe2\x80\x99s classified documents and coordinating this review with OSSI.24\n\n                   15\n                      32 CFR \xc2\xa7 2001.60(c). \n\n                   16\n                      32 CFR \xc2\xa7 2001.60(f). \n\n                   17\n                      32 CFR Part 2001, Subpart G; Executive Order No. 13526 \xc2\xa7 4.1(a). \n\n                   18\n                      Executive Order No. 13526 \xc2\xa7 6.1(o). \n\n                   19\n                      Ibid., p. 3. \n\n                   20\n                      An OCA is an individual authorized in writing, by the President, the Vice President, agency heads (such as \n\n                   the Secretary), or other officials designated by the President, to classify information in the first instance. \n\n                   Executive Order No. 13526 \xc2\xa7 6.1(gg). \n\n                   21\n                      OSSI, Classified National Security Information Policy, January 9, 2012. \n\n                   22\n                      Information may be classified at one of three levels: (1) \xe2\x80\x9cTop Secret,\xe2\x80\x9d (2) \xe2\x80\x9cSecret,\xe2\x80\x9d or (3) \xe2\x80\x9cConfidential.\xe2\x80\x9d\n\n                   See Appendix A for a description of each classification level. \n\n                   23\n                      OSSI, Classified National Security Information Policy, January 9, 2012. \n\n                   24\n                      Ibid., \xc2\xa7 6.4. \n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)                        3\n\x0c                   HHS has implemented the requirements of Executive Order No. 13526 and its\n                   Directive in greater detail in its National Security Handbook (Handbook), which\n                   was released on February 17, 2012. It provides procedural guidance to HHS\n                   employees and contractors who have access to classified NSI and describes\n                   responsibilities for the handling and safeguarding of NSI. The Handbook\n                   indicates that the Secretary has delegated to the Deputy Secretary, the Director of\n                   OSSI, and the Associate Director of OSSI the authority to originally classify and\n                   declassify information.\n                   Related Reports\n                   In 2011, the Environmental Protection Agency (EPA) Office of Inspector General\n                   (OIG) was the first to issue its mandated evaluation.25 Although other OIGs are\n                   reportedly undertaking evaluations, they had not issued reports as of May 2013.\n\n                   METHODOLOGY\n                   We identified and reviewed all of HHS\xe2\x80\x99s classified NSI guidance documents to\n                   determine their scope and content, including HHS\xe2\x80\x99s policy and Handbook.26 We\n                   compared the Handbook to Executive Order No. 13526 and the Directive to\n                   determine whether it was consistent with Federal requirements. We conducted\n                   structured interviews with OSSI officials responsible for ensuring that HHS\xe2\x80\x99s\n                   classified NSI policies are effectively administered and followed. We also\n                   surveyed Classification Security Officers responsible for providing guidance and\n                   oversight regarding classified NSI to their divisions.\n                   We verified that OCAs and Classification Security Officers who have access to\n                   classified NSI and who derivatively classified information received the required\n                   guidance and training. However, we did not determine whether other individuals\n                   who have access to classified NSI and derivatively classify information received\n                   guidance and training.27 We determined which methods (e.g., self-inspections,\n                   training) HHS uses to ensure that its classified NSI policies are effectively\n                   administered and followed. We did not assess the implementation of those\n                   methods.\n                   Data Collection and Analysis\n                   Identification of NSI Policies. We asked OSSI to provide all of HHS\xe2\x80\x99s classified\n                   NSI guidance, including the current policy and Handbook. Once we identified all\n                   of HHS\xe2\x80\x99s classified NSI guidance, we reviewed each document to determine its\n                   scope and content. Specifically, we reviewed the Handbook to ensure that\n\n                   25\n                      EPA OIG, EPA Should Prepare and Distribute Security Classification Guides, Report No. 11-P-0722,\n                   September 2011.\n                   26\n                      In this report we collectively refer to HHS\xe2\x80\x99s policy and Handbook as policies.\n\n                   27\n                      We chose to limit our review to those individuals responsible for providing the Department and divisions \n\n                   with guidance and oversight on the handling and safeguarding of classified NSI. These individuals included \n\n                   the OCAs and the Classification Security Officers. \n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)                      4\n\x0c                   guidance regarding the following information was included: (1) original\n                   classification, (2) derivative classification, (3) declassification and downgrading,\n                   (4) safeguarding of classified NSI, (5) standards for establishing and maintaining\n                   an ongoing agency self-inspection program, and (6) standards for agency security\n                   education and training programs.\n                   Interviews With OSSI Officials. We conducted structured interviews with the\n                   Director and Associate Director of OSSI to gather information about how OSSI\n                   ensures that HHS\xe2\x80\x99s adopted policies are effectively administered. Specifically, we\n                   asked about (1) administration of HHS\xe2\x80\x99s self-inspection program and\n                   (2) procedures for reviewing the Department\xe2\x80\x99s classification actions. Lastly, we\n                   asked about OSSI\xe2\x80\x99s processes and procedures for annually reporting the findings\n                   regarding the Department\xe2\x80\x99s self-inspection program to ISOO.\n                   We also gathered information from these officials regarding how OSSI ensures\n                   that the Department\xe2\x80\x99s adopted policies are followed. Specifically, we asked\n                   questions regarding the (1) dissemination of classified NSI guidance to employees\n                   who create, process, or handle classified information; (2) identification of staff\n                   who are required to complete training; (3) training content; and (4) frequency with\n                   which the training is provided. After conducting the interviews, we analyzed the\n                   responses of each official. We compared the responses to identify patterns across\n                   the various interviews.\n                   Interviews With Classification Security Officers. We requested from OSSI the\n                   names and contact information of all of the designated Classification Security\n                   Officers at the time of our review. OSSI provided a roster of 16 primary\n                   Classification Security Officers for each division required to have such an officer.\n                   We asked each to confirm his or her status as a Classification Security Officer and\n                   to complete a survey regarding guidance and training that the Classification\n                   Security Officer may have received and/or provided regarding classified\n                   information. We received and analyzed responses from all 16 Classification\n                   Security Officers and compared the responses to identify patterns across the\n                   various surveys.\n                   Standards\n                   This study was conducted in accordance with the Quality Standards for Inspection\n                   and Evaluation issued by the Council of the Inspectors General on Integrity and\n                   Efficiency.\n\n\n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)   5\n\x0c                   FINDINGS\n                   HHS has adopted policies for classified NSI that are\n                   consistent with Federal requirements\n                   HHS has adopted policies regarding classified NSI and developed additional\n                   guidance related to specific division programs and interagency information\n                   sharing. HHS\xe2\x80\x99s policies regarding classified NSI follow Federal requirements\n                   outlined in Executive Order No. 13526 and its Directive. Certain HHS divisions\n                   have developed guidance that further defines policies regarding classified NSI for\n                   specific programs. HHS has also developed a draft policy on interagency\n                   information sharing across Federal agencies within the national security\n                   community.\n                   Adopted policies follow Federal requirements\n                   HHS has adopted a policy entitled Classified National Security Information\n                   Policy which references Federal requirements on classified NSI and outlines the\n                   purpose, applicability, and scope of the policy. It also defines the responsibilities\n                   of individuals charged with handling and safeguarding classified NSI. HHS has\n                   also issued the Handbook, which provides specific instructions for implementing\n                   Executive Order No. 13526 and its Directive. The Handbook contains guidance\n                   on the following topics, which were included in the Executive Order: (1) original\n                   classification, (2) derivative classification, (3) declassification and downgrading,\n                   (4) safeguarding of classified NSI, (5) standards for establishing and maintaining\n                   an ongoing agency self-inspection program, and (6) standards for agency security\n                   education and training programs. HHS\xe2\x80\x99s Handbook provides information that\n                   would assist an individual in completing each of these actions in accordance with\n                   Federal requirements.\n                   Additional guidance has been developed for specific programs and\n                   interagency information sharing\n                   According to HHS\xe2\x80\x99s policy, divisions should establish additional written\n                   procedures, when necessary, to implement the Department\xe2\x80\x99s classified NSI policy.\n                   As a result, certain divisions have established division-specific policies regarding\n                   classified NSI. For example, OSSI and the Food and Drug Administration (FDA)\n                   have developed a classification guide for FDA\xe2\x80\x99s Center for Food Safety and\n                   Applied Nutrition.28 This guide outlines standard operating procedures regarding\n                   classified NSI. The Centers for Disease Control and Prevention (CDC) has also\n                   developed guidance regarding classified NSI. For example, CDC issued guidance\n\n\n\n                   28\n                     FDA, Center for Food Safety and Applied Nutrition Standard Operating Procedures: National Security\n                   Classification of Vulnerability Assessments, April 2007.\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)                 6\n\x0c                   to its staff specifically addressing classification and marking of classified NSI.29\n                   HHS has also developed a policy for interagency information sharing entitled\n                   HHS Policy for Engagement With the National Security Community via the\n                   Information Sharing Environment. This policy designates OSSI, \xe2\x80\x9cwhich reports\n                   directly to the Deputy Secretary on intelligence and counterintelligence issues, as\n                   the Department\xe2\x80\x99s lead on sharing and safeguarding national security information.\xe2\x80\x9d\n                   The policy establishes the responsibilities of HHS employees, contractors, and\n                   divisions related to sharing and safeguarding homeland security information,\n                   terrorism-related information, law enforcement information related to terrorism,\n                   or intelligence-related information.30\n\n                   HHS used annual status reports and self-inspections to\n                   ensure that its classified NSI policies are effectively\n                   administered\n                   HHS has adopted methods to ensure that its classified NSI policies are effectively\n                   administered through various methods. For example, Classification Security\n                   Officers are required to complete annual status reports that document how their\n                   divisions handle and safeguard classified NSI.31 OSSI officials also conduct\n                   periodic self-inspections to determine whether derivatively classified documents\n                   were classified in accordance with Federal requirements. Finally, the findings\n                   from the Classification Security Officers\xe2\x80\x99 annual status reports and OSSI\xe2\x80\x99s\n                   self-inspections are used to complete required reporting forms and develop HHS\xe2\x80\x99s\n                   annual self-inspection report, which is provided to the Director of ISOO.\n                   Classification Security Officers completed required annual status\n                   reports\n                   To ensure that HHS\xe2\x80\x99s policies related to classified NSI are effectively\n                   administered, OSSI officials reported that each Classification Security Officer\n                   completed the required Annual Status Report on Classified Information (annual\n                   status report).32 The report is a self-assessment tool that Classification Security\n                   Officers complete to report how classified documents are being handled and\n                   safeguarded throughout HHS. The annual status report requires Classification\n                   Security Officers to provide specific information about their divisions\xe2\x80\x99\n\n                   29\n                     CDC, National Security Information Classification & Control Markings, 2012; CDC, Document Marking\n                   Briefing, 2012.\n                   30\n                      OSSI, Policy for Engagement With the National Security Community via the Information Sharing\n                   Environment (ISE), November 29, 2012.\n                   31\n                      Classification Security Officers are required to conduct security inspections of all offices in their divisions\n                   that store or handle classified information to ensure that individuals responsible for classified information\n                   comply with classified NSI policies. Further, these officers are required to audit their divisions\xe2\x80\x99 classified\n                   documents. The results of the security inspections and the audits are reported on the HHS \xe2\x80\x9cAnnual Status\n                   Report on Classified Information\xe2\x80\x9d forms, also referred to as \xe2\x80\x9cannual status reports.\xe2\x80\x9d\n                   32\n                      Classification Security Officers serving in divisions that did not develop and/or maintain classified NSI did\n                   not complete the annual status report.\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)                          7\n\x0c                   classification management programs. This information includes the location,\n                   number, and classification level of the classified documents; and the number of\n                   derivative classification decisions. OSSI officials reported that they use these\n                   annual status reports to determine which divisions may need additional training.\n                   OSSI conducted annual self-inspections\n                   OSSI officials also reported that they conducted annual self-inspections to ensure\n                   that HHS\xe2\x80\x99s classified NSI policies were effectively administered. The\n                   self-inspections included reviewing a sample of derivatively classified documents\n                   and conducting informal site visits to determine whether documents are classified\n                   in accordance with Executive Order No. 13526. One OCA stated that, during a\n                   self-inspection, she would \xe2\x80\x9creview the [derivative] classification decision with the\n                   individual making the classification and talk about any issues.\xe2\x80\x9d OSSI officials\n                   reported that they conducted periodic informal site visits to the divisions to ensure\n                   that classified documents were being handled and safeguarded in accordance with\n                   HHS policy and Federal requirements.\n                   Findings from the Classification Security Officers\xe2\x80\x99 annual status\n                   reports and the self-inspections were reported to ISOO\n                   HHS\xe2\x80\x99s self-inspection report included descriptions of the Department\xe2\x80\x99s\n                   self-inspection program and findings, which included information from the\n                   Classification Security Officers\xe2\x80\x99 annual status reports. HHS\xe2\x80\x99s self-inspection\n                   report addressed all topics required by Executive Order No. 13526 (original\n                   classification, derivative classification, declassification, safeguarding, security\n                   violations, security education and training, and management and oversight).\n                   OSSI officials reported that they are required to complete both the \xe2\x80\x9cAgency\n                   Security Classification Management Program Data\xe2\x80\x9d form, also referred to as\n                   \xe2\x80\x9cStandard Form 311,\xe2\x80\x9d and the self-inspection report annually and submit them to\n                   the Director of ISOO by November. The Associate Director of OSSI provided\n                   copies of both Standard Form 311 and the self-inspection report for 2011; both of\n                   these documents were submitted to ISOO by the November 2011 deadline.\n\n                   HHS provided guidance and training to individuals who\n                   access classified NSI to ensure that its classified NSI\n                   policies are followed; however, not all Classification\n                   Security Officers received guidance and/or training\n                   HHS adopted various methods to ensure that its policies regarding classified NSI\n                   are followed. For example, guidance and training regarding HHS\xe2\x80\x99s classified NSI\n                   policy and Handbook are disseminated to individuals who develop and access\n                   classified information. These individuals include the four OCAs (the Secretary,\n                   Deputy Secretary, Director of OSSI, and Associate Director of OSSI),\n                   Classification Security Officers, and individuals who possess security clearances.\n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)   8\n\x0c                   Guidance regarding HHS\xe2\x80\x99s policy and Handbook was reportedly\n                   disseminated to administrative leads, Classification Security\n                   Officers, and other individuals who access classified NSI; however,\n                   not all Classification Security Officers received guidance\n                   To ensure that HHS\xe2\x80\x99s policies related to classified NSI are followed, OSSI\n                   officials reported that they disseminated guidance to lead administrators, OCAs,\n                   Classification Security Officers, and other individuals who access classified NSI.\n                   OSSI officials reported that HHS\xe2\x80\x99s Classified National Security Information\n                   Policy was disseminated directly to the lead administrators of the divisions. OSSI\n                   officials reported that the Handbook was also disseminated directly to the\n                   Classification Security Officers, who are responsible for ensuring that their\n                   divisions adhere to policies for handling classified NSI. OSSI officials further\n                   reported that the classified NSI policy and Handbook were disseminated to the\n                   four OCAs.33 Policies related to classified NSI and the Handbook are updated\n                   each time a relevant Executive Order is issued.\n                   Of the 16 Classification Security Officers surveyed, 13 indicated that they had\n                   received guidance regarding HHS\xe2\x80\x99s policies for handling and classifying\n                   information since becoming Classification Security Officers. Four specifically\n                   reported receiving HHS\xe2\x80\x99s Handbook. Of the nine Classification Security Officers\n                   who did not report receiving the Handbook, eight reported receiving HHS\xe2\x80\x99s\n                   policy or general guidance from OSSI concerning classified information; one\n                   reported receiving information but could not recall the content. Of the three\n                   Classification Security Officers who indicated that they did not receive guidance,\n                   two reported that their divisions did not develop or maintain classified\n                   information. The third reported that he had not received guidance since joining\n                   HHS in 2010. However, he reported receiving training related to classified NSI\n                   from his former Federal employer.\n                   Training was reportedly provided to OCAs, Classification Security\n                   Officers, and other individuals who accessed classified NSI;\n                   however, not all Classification Security Officers received training\n                   OSSI officials reported that HHS has established required training for individuals\n                   who develop and access classified NSI (OCAs, Classification Security Officers,\n                   and individuals with security clearances). The four OCAs are required to\n                   complete annual training on making original classification decisions. The OCAs\n                   are also required to complete annual refresher training. OSSI officials reported\n                   that all four OCAs had completed their annual training for 2012.\n                   OSSI officials indicated that Classification Security Officers are also required to\n                   receive training. Of the 16 Classification Security Officers surveyed, 14 indicated\n                   that they had received some type of training since becoming Classification\n\n                   33\n                        OSSI officials confirmed that all four OCAs received HHS\xe2\x80\x99s policy and Handbook.\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)       9\n\x0c                   Security Officers for their divisions. These 14 Classification Security Officers\n                   reported receiving training on a number of topics, including handling and\n                   safeguarding classified information, transmitting classified information, original\n                   classification, derivative classification, downgrading and declassification,\n                   marking of classified materials, and storage of classified information. The two\n                   who did not receive training reported that their divisions do not develop or\n                   maintain classified information.\n                   In addition to OCAs and Classification Security Officers, other individuals with\n                   access to classified NSI are required to receive training. OSSI officials reported\n                   that these individuals received training on topics such as handling, safeguarding,\n                   identifying, and marking classified NSI.\n\n\n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)   10\n\x0c                   CONCLUSION AND RECOMMENDATION\n                   As mandated by the Reducing Over-Classification Act, we assessed whether HHS\n                   has adopted, followed, and effectively administered policies regarding classified\n                   NSI. HHS\xe2\x80\x99s policies for classified NSI are consistent with Federal requirements\n                   outlined in Executive Order No. 13526 and its implementing Directive. Some\n                   HHS divisions have established additional procedures to implement the\n                   Department\xe2\x80\x99s classified NSI policy, such as FDA\xe2\x80\x99s classification guide for the\n                   Center for Food Safety and Applied Nutrition, CDC\xe2\x80\x99s guidance on classification\n                   and marking of classified NSI, and a draft policy on interagency information\n                   sharing across Federal agencies. Additionally, to ensure that its classified NSI\n                   policies are effectively administered, HHS requires annual status reports and\n                   self-inspections. HHS uses the findings from the annual status reports and\n                   self-inspections to provide ISOO with information regarding HHS\xe2\x80\x99s classified\n                   NSI program. Finally, HHS provides guidance and training to individuals who\n                   access classified NSI to ensure that its policies are followed. However, not all of\n                   the Classification Security Officers received the guidance or training.\n                   We conclude that HHS has adopted policies regarding classified NSI and methods\n                   to ensure that the adopted policies are effectively administered and followed.\n                   However, the methods that HHS uses to ensure that Classification Security\n                   Officers receive appropriate guidance and training may not be effective.\n                   Therefore, we recommend OSSI, working on behalf of the Office of the\n                   Secretary:\n                   Clarify Who Is Responsible for Ensuring That Classification Security\n                   Officers Receive Training\n                   HHS\xe2\x80\x99s Classified National Security Information Policy does not specify who is\n                   responsible for ensuring that Classification Security Officers receive training.\n                   OSSI should revise this policy to clarify who is responsible for ensuring that\n                   designated Classification Security Officers receive training regarding the handling\n                   and safeguarding of classified information.\n                   Ensure That All Classification Security Officers Receive Guidance\n                   and Training Regarding Classified NSI\n                   OSSI should ensure that all Classification Security Officers are aware of their\n                   responsibility to provide their divisions with guidance and oversight on the\n                   handling and safeguarding of classified NSI. OSSI should also ensure that all\n                   Classification Security Officers receive guidance concerning HHS\xe2\x80\x99s classified\n                   NSI program, including HHS\xe2\x80\x99s Handbook.\n                   Although some divisions may not develop or maintain classified information,\n                   their Classification Security Officers have access to and may receive classified\n                   information. Therefore, OSSI should ensure that all Classification Security\n                   Officers receive training concerning HHS\xe2\x80\x99s classified NSI program. Further,\n                   OSSI should inform HHS divisions that, regardless of whether the divisions\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)   11\n\x0c                   develop or maintain classified information, division heads and Classification\n                   Security Officers are responsible for ensuring that divisions follow HHS policies\n                   regarding classified NSI.\n\n                   AGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\n                   RESPONSE\n                   OSSI concurred with both recommendations. In response to the first\n                   recommendation, OSSI indicated that it is revising the HHS Handbook to ensure\n                   that HHS division heads are aware of their responsibility to provide their divisions\n                   with guidance and oversight on the handling and safeguarding of classified NSI.\n                   OSSI also stated that it reissued the classified NSI policy and Handbook to all\n                   Classification Security Officers in mid-December 2012, to ensure that they all had\n                   their own copies, regardless of whether their divisions develop or maintain\n                   classified information.\n                   In response to the second recommendation, OSSI said that it communicated with\n                   all Classification Security Officers to ensure that they are properly trained and\n                   have received appropriate guidance. Further, OSSI stated that it would start\n                   providing semiannual training for all Classification Security Officers in the spring\n                   of 2013 to ensure that established standards are acknowledged and maintained.\n                   We did not make any changes to the report based on OSSI\xe2\x80\x99s comments.\n\n\n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)   12\n\x0c                   APPENDIX A\n                   Definition of Each Classification Level\n                   Information may be classified at one of three levels: \xe2\x80\x9cTop Secret,\xe2\x80\x9d \xe2\x80\x9cSecret,\xe2\x80\x9d and\n                   \xe2\x80\x9cConfidential.\xe2\x80\x9d Below is a definition of each classification level.\n                   Top Secret is \xe2\x80\x9capplied to information, the unauthorized disclosure of which\n                   reasonably could be expected to cause exceptionally grave damage to the national\n                   security that the original classification authority is able to identify or describe.\xe2\x80\x9d34\n                   Secret is \xe2\x80\x9capplied to information, the unauthorized disclosure of which reasonably\n                   could be expected to cause serious damage to the national security that the\n                   original classification authority is able to identify or describe.\xe2\x80\x9d35\n                   Confidential is \xe2\x80\x9capplied to information, the unauthorized disclosure of which\n                   reasonably could be expected to cause damage to the national security that the\n                   original classification authority is able to identify or describe.\xe2\x80\x9d36\n\n\n\n\n                   34\n                      Executive Order No. 13526 \xc2\xa7 1.2. \n\n                   35\n                      Ibid. \n\n                   36\n                      Ibid. \n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)   13\n\x0c                          APPENDIX 8\n                          Agency Comments\n\n\n\n\n     /   ........ \n\n f       ._#                                              tEPAR\'T\'MEtolr OF HEAl."TH & HUUAN SERVICES\n ~~~----------------------Oftea~\n                          -----\xc2\xb7 _   ___s_b_\n                                 .___and   ~~_\n                                             _ \xc2\xb7 _,_mo\n                                                    __~-~-\xc2\xb7--\xc2\xb7-------=~~-------\n                                                                                              Februel\'y 22. 2012\n\n                 To:     Daniel R. LevinsOn\n                         Inspector General for EvaJuation and Inspections\n                         Depattment of Health & Human Services\n\n                 From: \t Dr. Joy Miller   /S/\n                         Deputy Assistant Sectelaty for Security\n                         Office of Security and Strategic Information (OSSI)\n                         Secretary\'s Senklr lnteillgenoe Official\n\n                Subject: OSSI Response to Draft Final OIG Reports, dated 29 January 2013.\n\n                References:\n                        OIG Report OEI..07~12...()()400 (Draft) HHS Adopee<l, Administered, and Generalty Followed\n                aassified htfonnation Policies, (OEI-07\xc2\xb712-00400)\n\n                       OIG Report OE1..07-12...()()401 (Draft) Originally and DerivaliYely Classified Documents Met\n                Most Federal Requirementa, (OEI-07-12...()0401)\n\n                 1. Purpose. To~ ruponses toOIG recommendations as noted In the refefenoe reportS.\n\n                2. Background. The Reducing Over-Ciaslification Act of 2010 mandated that the ll\'l$peCtef\n                Gene1111 for each te0eta1 government agency or dep81tr\'nent who have ernpk)yees authorized to\n                make original classlfic:lltio decisions conduct two evaluations One evaluation is intended to\n                assess whefhef applicable classllcation pofldes have been adopted, erfedively administered. and\n                followed: and the OCher to Identity prac:tlc:u that may e\xc2\xabttribule to milclasalficatl of ~l\n                These evaluatioos wil be~ by 30 September, 2013. Then. a second evaluation, to be\n                ~ by 30 Sepeember, 2016 must review progress made punuant to the results of tt1e first\n                evaluation. The HHS Special Security Officer (SSO) serves as lead for coordinating Department\n                wide implementation of the HHS Classified National Security Information (NSI) Policy\n\n                3. OIG Report OEI-07-12...()0400 (Draft). This OIG report addressed the first requited evaluation\n                and assessed whether HHS had adOpted, effectiYely admintstered. and folloWed polloes regarding\n                Classified NSI.\n\n                        A. \t O!G RICiO!I!!!lt!1da. Clarify who is responsl;ble for ensuring that Classification\n                              Security Officers {CSO) receive ttaining.\n\n                        B \t OSSJ Baponu. Concur. OSSI is In the process of revising the HHS Cla$sifled\n                            Natlonat Security Information Handboot<, dated 17 February 2012 to ensure\n                            OPISTAFF OIV CSOs a rot aware of their responsibility to provide their dMsions with\n                            guidance and oversight on the hand"ng ancl58feguardlng of classified NSI.\n                            Additionally, OSSI reissued the Classified NSI Polley and Handbook to all OPISTAFF\n                            OtV CSOs in mid-tlocember 2012, to ensure each had !heir own <:OPY of the\n                            handbook. regardlesa of whether their divisions deve4op or maintain ctasslfied\n                              nfotmation.\n\n                        C . \t OIG Reeommenditlon. Ens\\lre that all Claslftcation Security Ofl\'icers receive\n                              guidance and training regarding Classified National Security Information\n\n\n\n                                                                   1\n\n\n\n\nHHS Adopted, Administered , and Generally Followed Classified Information Policies (OEI-07-12-00400)                  14\n\x0cNote: The Office of Security and Strategic Information did not include any editorial or technical comments in the attachments\nreferenced in its response.\n\n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)                             15\n\x0c                   ACKNOWLEDGMENTS\n                   This report was prepared under the direction of Brian T. Pattison, Regional\n                   Inspector General for Evaluation and Inspections in the Kansas City regional\n                   office, and Brian T. Whitley, Deputy Regional Inspector General.\n                   Rae Hutchison served as the project leader for this study. Other Office of\n                   Evaluation and Inspections staff from the Kansas City regional office who\n                   conducted the study include Michael J. Brown and Jordan R. Clementi. Central\n                   office staff who provided support include Althea Hosein, Debra Roush, and\n                   Talisha Searcy.\n\n\n\n\nHHS Adopted, Administered, and Generally Followed Classified Information Policies (OEI-07-12-00400)   16\n\x0c                Office of Inspector General\n                                 http://oig.hhs.gov\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services\n(HHS) programs, as well as the health and welfare of beneficiaries served by those\nprograms. This statutory mission is carried out through a nationwide network of audits,\ninvestigations, and inspections conducted by the following operating components:\n\nOffice of Audit Services\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits\nexamine the performance of HHS programs and/or its grantees and contractors in carrying\nout their respective responsibilities and are intended to provide independent assessments of\nHHS programs and operations. These assessments help reduce waste, abuse, and\nmismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide\nHHS, Congress, and the public with timely, useful, and reliable information on significant\nissues. These evaluations focus on preventing fraud, waste, or abuse and promoting\neconomy, efficiency, and effectiveness of departmental programs. To promote impact, OEI\nreports also present practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations\nof fraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources\nby actively coordinating with the Department of Justice and other Federal, State, and local\nlaw enforcement authorities. The investigative efforts of OI often lead to criminal\nconvictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to\nOIG, rendering advice and opinions on HHS programs and operations and providing all\nlegal support for OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and\nadministrative fraud and abuse cases involving HHS programs, including False Claims Act,\nprogram exclusion, and civil monetary penalty cases. In connection with these cases, OCIG\nalso negotiates and monitors corporate integrity agreements. OCIG renders advisory\nopinions, issues compliance program guidance, publishes fraud alerts, and provides other\nguidance to the health care industry concerning the anti-kickback statute and other OIG\nenforcement authorities.\n\x0c'